VPN company shuts down after Lavabit case demonstrates threat of state-ordered, secret self-sabotage

Cryptoseal has shut down Cryptoseal Privacy, a VPN product advertised as a privacy tool, citing the action against Lavabit, the privacy-oriented email provider used by Edward Snowden. Court documents released in the wake of Lavabit's shut-down showed that the US government believes that it has the power to order service providers to redesign their systems to make it possible to spy on users. Cryptoseal had been operating under the assumption that since it had no way of spying on its users, it was immune to wiretap orders, and the revelation that they may be forced to break their system's security was enough to put them off altogether. Like Lavabit, Cryptoseal was unwilling to advertise a service that was immune from snooping if they might someday be forced to secretly redesign their systems to make snooping possible.

“With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability,” the company said in a statement....

“The Lavabit case, with filings released by Kevin Poulsen of Wired.com reveals a Government theory that if a pen register order is made on a provider, and the provider’s systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device,” CryptoSeal state.

A pen register is a device originally created in the 1800′s for recording telegraph signals on paper but more recently the term has been used to describe devices that can monitor telephone lines and Internet communications. Since VPN communications are encrypted, CryptoSeal believes that the only way it would be able to comply with a pen register order would be to do the unthinkable – hand over its encryption keys.

“Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service,” the company informs.